As more and more cyberattacks hit the headlines, business owners today are waking to the realization that they must have a robust cybersecurity solution. Unfortunately, far too many organizations are just barely scraping the surface of what cybersecurity truly requires today.
What’s typically missing is a comprehensive security plan and cybersecurity checklist that everyone in the organization can follow. Just like a cyberattack, ignoring these important cybersecurity policies and procedures can bring a business to a screeching halt.
Mike Moran, president of Affiliated Resource Group, has been serving Central Ohio manufacturers, distributors, professional services firms, and health care practices for over 20 years. For nearly a decade, Mike has also been sounding the alarm for his clients to follow a well-defined cybersecurity and compliance plan.
Which Businesses Put Themselves At Risk By Not Following A Security Plan?
Mike says, “Any organization that captures, uses, stores, manages, or transmits protected data must have a cybersecurity plan in place. Some industries, such as the financial industry, health care industry, and Department of Defense contractors (and subcontractors), require data protection plans. But ultimately, any executive concerned about their reputation and bottom line should have a comprehensive cybersecurity plan.” The state of Ohio even passed a Cyber- security Safe Harbor Law that provides a defense against civil litigation when a company has created and actively implemented a cybersecurity plan.”
Cyberattacks wreak havoc on bottom-line dollars. Sixty percent of the time, cybercriminals target small businesses. Then, on average, it can take three workdays or longer to recover. Think about how much revenue loss and productivity loss — and how many potential lost customers/clients — you could incur in those three days.
5 Steps Toward A More Proactive And Secure Environment
When disaster strikes at home, you know what to do. But most executives have no clue what to do when a hacker locks down all their data and demands tens of thousands of dollars in cryptocurrency.
Mike says, “Affiliated Resource Group has modeled our checklist and cybersecurity solutions based on the government-recommended best practices approach (the NIST Cybersecurity Framework), and we have presented this five-step security model to all our clients and prospects over the past five-plus years. And once they start adopting these measures, they start to gain control of their IT environments.”
Step 1: IDENTIFY
Before you can protect your network and data, you must better understand what you are protecting.
What exactly are you trying to protect? Make a thorough list of your technology assets.
What are your expectations in getting your systems back up and running and preventing a data breach?
Determine your current level of risk with a comprehensive risk assessment.
“With our once-a-year risk assessment, we help our customers with their assets and software. Next, we sit down with the leader- ship team and put their priorities on paper to maximize IT efficiencies and security,” Mike says.
Step 2: PROTECT
This is where most companies focus their IT efforts, but it can’t be the only area of focus. In this vital step, you should be able to answer the following questions:
How do you log in to your systems and who can log in? Do you have a password policy and procedure? More importantly, is everyone in your organization following it?
Do you have current policies and procedures regarding adding antivirus software and patches?
How does your backup work and what does it cover?
“In a recent survey,” Mike says, “one-third of companies admitted their backups were not good enough if they ever had to recover from an incident. They risk losing considerable data and productivity.”
✓ Are you simply protecting your end points with antivirus software?
✓ Do you have a user-awareness training program?
Simply sending out a phishing email test once a quarter is not sufficient. You should implement an ongoing awareness program that trains every team member.
Step 3: DETECT
People often assume burglar alarms prevent rob- beries. However, it’s more of a detection tool because an alarm sounds and people are notified of a potential incident.
In cybersecurity, the proactive stage of detection is crucial to significantly reducing exposure and preventing data theft.
✓ Can you detect when your network is potentially compromised?
✓ How soon after this compromise do you get an alert?
“Many ransomware attacks start with the hacker breaking into the system months before they lock your data and request a large payment,” Mike says.
Step 4: RESPOND
You come into the office, find your system is down, and can’t access any files. Fear consumes you as you stare at a daunting message saying you won’t get your customer records until you pay $25,000 — or more. What do you do?
Mike says, “The steps you take next could very well determine if you get your data back, how much you pay (if anything), and just how long your employees are sitting idle and unproductive.”
✓ How do you mitigate the threat and isolate it to a single computer?
“Most people simply turn off the compromised computer,” Mike says. “That’s not necessarily what you do. Rather, you keep it on and disconnect it from the network. Also, instead of scrubbing the machine, it’s important to do forensics on it to prevent further damage.”
✓ Have you documented your response plan?
✓ Whom do you need to call — your cyber liability insur- ance or the authorities?
✓ What is the message you want your staff to convey to customers, clients, vendors, etc.?
Step 5: RECOVER
“This is why I love my job and our team,” says Mike. “In the rare case where a client endures a cyberattack, I get to call and tell them that our managed backup-solution process worked — we successfully remediated the exposure and recovered all their files. At that moment, I can feel all their worries melt away.” But if you want a happy ending to your own story, it’s crucial that you have a plan in place to successfully restore and return your affected systems and devices back to normal. Questions to consider during the recovery step:
✓ Can the system be restored from a trusted backup?
✓ How soon can systems be returned to production?
✓ How do you ensure similar attacks will not reoccur?
For over 27 years, Mike Moran and his team have been affiliated with their clients to help them accomplish their goals. He says, “We have customers who have counted on us for 12, 15, and even 18 years. We do everything we can to improve their protection and improve their efficiency. We are affiliated with them, and they are affiliated with us. Hence, our name, Affiliated Resource Group.”
You should never abdicate the critical pieces of your business. That includes information technology. While your internal IT team or third-party IT provider should handle your cybersecurity technical environment, you should also have a clear picture of your cybersecurity policies and procedures. After all, a cyberattack will negatively affect your business, your finances and your productivity.
At the very least, you should know the answers to these nine crucial questions:
- What do we want to protect?
- What are we required to protect?
Mike Moran says, “Your state, your industry, and the type of data you collect determine if you must protect that data or risk fines and lawsuits.”
- How are our applications prioritized, and which of them are most important?
- What are the relevant threats to our organization?
“While everyone thinks of external threats like ransomware and viruses, you must also consider internal threats. As an example, your customer list is an attractive asset to employees who are considering leaving the organization,” Mike says.
- How comfortable are we as an organization with our ability to actively respond?
- Who is responsible for our programs?
Mike says, “Simply saying, ‘My internal IT team or our third-party IT provider is responsible,’ is the wrong answer. Everybody in your organization, especially the leadership, is responsible.”
- Do we have a response plan in place in case we get hit?
- When was the last time we reviewed and updated our systems or had a risk assessment?
- Can we do this ourselves?
For more information on Affiliated Resource Group, visit AResGrp.com.